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Abstract. While distributed systems witli transfer of processes iiave become per- 
vasive, methods for reasoning about their behaviour are underdeveloped. In this 
paper we propose a bisimulation technique for proving behavioural equivalence 
of such systems modelled in the higher-order n-calculus with passivation (and 
restriction). Previous research for this calculus is limited to context bisimulations 
and normal bisimulations which are either impractical or unsound. In contrast, 
we provide a sound and useful definition of environmental bisimulations, with 
several non-trivial examples. Technically, a central point in our bisimulations is 
the clause for parallel composition, which must account for passivation of the 
spawned processes in the middle of their execution. 



1 Introduction 

1.1 Background 

Higher-order distributed systems are ubiquitous in today's computing environment. To 
name but a few examples, companies like Dell and Hewlett-Packard sell products using 
virtual machine live migration 1,14.3] , and Gmail users execute remote JavaScript code 
on local browsers. In this paper we call higher-order the ability to transfer processes, 
and distribution the possibility of location-dependent system behaviour. In spite of the 
de facto importance of such systems, they are hard to analyse because of their inherent 
complexity. 

The TT -calculus |8| and its dialects prevail as models of concuiTency, and several 
variations of these calculi have been designed for distribution. First-order variations 
include the ambient calculus |[l] and Dtt ||2|, while higher-order include more recent 
Homer |4J and Kell iTfSl calculi. In this paper, we focus on the higher-order vr-calculus 
with passivation Q|, a simple high-level construct to express distribution. It is an exten- 
sion of the higher-order 7r-calculus |9| (with which the reader is assumed to be familiar) 

with located processes a[P] and two additional transition rules: a[P] ^ \ (Passiv), 
and a[P] A a[P'] if P A P' (Transp). 

* Appendix with full proofs at |http : / /www . kb ■ ecei . tohoku . ac ■ jp / "adrien/ 
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The new syntax a[P] reads as "process P located at a" where a is a name. Rule 
Transp specifies the transparency of locations, i.e. that a location has no impact on 
the transitions of the located process. Rule Passiv indicates that a located process can 
be passivated, that is, be output to a channel of the same name as the location. Using 
passivation, various characteristics of distributed systems are expressible. For instance, 
failure of process P located at a can be modelled like a[P] \ a{X).fail | fail, and 
migration of process Q from location 5 to c like b[P] \ b{X).c[X] | c[P]. 

One way to analyse the behaviour of systems is to compare implementations and 
specifications. Such comparison calls for satisfying notions of behavioural equivalence, 
such as reduction-closed barbed equivalence (and congruence) [SJ, written « (and 
respectively) in this paper. 

Unfortunately, these equivalences have succinct definitions that are not very practi- 
cal as a proof technique, for they both include a condition that quantifies over arbitrary 
processes, like: if P w Q then Vi?. P \ R ^ Q \ R. Therefore, more convenient defi- 
nitions like bisimulations, for which membership implies behavioural equivalence, and 
which come with a co-inductive proof method, are sought after. 

Still, the combination of both higher order and distribution has long been considered 
difficult. Recent research on higher-order process calculi led to defining sound context 
bisimulations I.10J (often at the cost of appealing to Howe's method [6J for proving 
congruence) but those bisimulations suffer from their heavy use of universal quantifica- 
tion: suppose that v7:.a{M) .P X vd.a{N) .Q, where A" is a context bisimulation; then 
it is roughly required that for any process R, we have vc..{P \ R{M / X}) X vd.{Q \ 
R{N /X}). Not only must we consider the outputs M and N, but we must also handle 
interactions of arbitrary R with the continuation processes P and Q. Alas, this almost 
comes down to showing reduction-closed barbed equivalence! In the higher-order tt- 
calculus, by means of encoding into a first-order calculus, normal bisimulations ifTOl 
coincide with (and are a practical alternative to) context bisimulations. Unfortunately, 
normal bisimulations have proved to be unsound in the presence of passivation (and 
restriction) |7|. While this result cast a doubt on whether sound normal bisimulations 
exist for higher-order distributed calculi, it did not affect the potential of environmental 
bisimulations 11161171121131 as a useful proof technique for behavioural equivalence in 
those calculi. 

1.2 Our contribution 

To the best of our knowledge, there are not yet any useful sound bisimulations for 
higher-order distributed process calculi. In this paper we develop environmental (weak) 
bisimulations for the higher-order 7r-calculus with passivation, which (1) are sound with 
respect to reduction-closed barbed equivalence, (2) can actually be used to prove be- 
havioural equivalence of non-trivial processes (with restrictions), and (3) can also be 
used to prove reduction-closed barbed congruence of processes (see Corollary [TJ. To 
prove reduction-closed barbed equivalence (and congruence), we find a new clause to 
guarantee preservation of bisimilarity by parallel composition of arbitrary processes. 
Unlike the corresponding clause in previous research i7il3,l , it can also handle the 
later removal (i.e. passivation) of these processes while keeping the bisimulation proofs 



tractable. Several examples are given, thereby supporting our claim of the first useful 
bisimulations for a higher-order distributed process calculus. Moreover, we define an 
up-to context variant of the environmental bisimulations that significantly lightens the 
burden of equivalence proofs, as utilised in the examples. 

Overview of the bisimulation We now outline the definition of our environmental bisim- 
ulations. (Generalities on environmental bisimulations can be found in 1 12 1.) We define 
an environmental bisimulation A" as a set of quadruples (r, £,P,Q) where r is a set 
of names (i.e. channels and locations), 5 is a binary relation (called the environment) 
on terms, and P, Q are processes. The bisimulation is a game where the processes P 
and Q are compared to each other by an attacker (or observer) who knows and can use 
the terms in the environment £ and the names in r. For readability, the membership 
{r,£, P, Q) e A" is often written P Xg.^ Q, and should be understood as "processes P 
and Q are bisimilar, under the environment £ and the known names r." 

The environmental bisimilarity is co-inductively defined by several conditions con- 
cerning the tested processes and the knowledge. As usual with weak bisimulations, we 
require that an internal transition by one of the processes is matched by zero or more 
internal transitions by the other, and that the remnants are still bisimilar. 

As usual with (more recent and less common) environmental bisimulations, we re- 
quire that whenever a term M is output to a known channel, the other tested process 
can output another term N to the same channel, and that the residues are bisimilar un- 
der the environment extended with the pair (M, N). The extension of the environment 
stands for the growth of knowledge of the attacker of the bisimulation game who ob- 
served the outputs (M, N), although he cannot analyse them. This spells out like: for 

any P X^.^ Q and a e r, if P ^<^-<^('^^) ^ pi fj-gsh c, then Q '^'^'"^^i Q' for fresh d 

and P' '^£ij{(M,N)}-r Q' ■ 

Unsurprisingly, input must be doable on the same known channel by each process, 
and the continuations must still be bisimilar under the same environment since nothing 
is learnt by the context. However, we require that the input terms are generated from the 
context closure of the environment. Intuitively, this closure represents all the processes 
an attacker can build by combining what he has learnt from previous outputs. Roughly, 
we define it as: 

{£;r)* = {{C[M],C[N]) \ C context, fn{C) C r, M £ N} 

where M denotes a sequence Mq, . . . , Mn, and M£N means that for all < i < n, 
Mi£Ni. Therefore, the input clause looks like: for any P Xg.^ Q, a E r and {M, N) G 

{£;r)\ if P P', then Q ^ Q' and P' X^.^ Q' . 

The set r of known names can be extended at will by the observer, provided that the 
new names are fresh: for any P Xg.^ Q and n fresh, we have P '^^.^^{n} 

Parallel composition The last clause is crucial to the soundness and usefulness of en- 
vironmental bisimulations for languages with passivation, and not as straightforward as 
the other clauses. The idea at its base is that not only may an observer run arbitrary pro- 
cesses R in parallel to the tested ones (as in reduction-closed barbed equivalence), but 
he may also run arbitrary processes M, N he assembled from previous observations. It 



is critical to ensure that bisimilarity (and hopefully equivalence) is preserved by such 
parallel composition, and that this property can be easily proved. As {£;r)* is this set of 
processes that can be assembled from previous observations, we would naively expect 
the appropriate clause to look like: 

For any P X^.^ Q and (Af , N) e {£; r)\ we have P \ M X^.^ Q \ N 

but this subsumes the already impractical clause of reduction-closed barbed equivalence 
which we want to get round. Previous research 171131 uses a weaker condition: 

For any P X^.^ Q and {M, N) e £, we have P \ M X^.^ Q \ N 

arguing that {£; r)* can informally do no more observations than £, but this clause is 
unsound in the presence of passivation. The reason behind the unsoundness is that, in 
our settings, not only can a context spawn new processes Af , N, but it can also remove 
running processes it created by passivating them later on. For example, consider the 
following processes P = a{R).lR and Q = a{0).\R. Under the above weak condition, 
it would be easy to construct an environmental bisimulation that relates P and Q. How- 
ever, a process a{X) .m[X] may distinguish them. Indeed, it may receive processes R 
and start running it in location m, or may receive process and run a copy of R from 
\R. If i? is a process doing several sequential actions (for example if i? = lock. unlock) 
and is passivated in the middle of its execution, then the remaining processes after pas- 
sivation would not be equivalent any more. 

To account for this new situation, we decide to modify the condition on the prove- 
nance of process that can be spawned, drawing them from {(a[A/], a[Af]) I a e r, (Af, iV) G 
f }, thus giving the clause: 

For any P X^.^ Q, a£r and {M, N) e £, we have P \ a[M] X^.^ Q \ a[N]. 

The new condition allows for any running process that has been previously created by 
the observer to be passivated, that is, removed from the current test. This clause is much 
more tractable than the first one using {£\ r)* and, unlike the second one using only £, 
leads to sound environmental bisimulations (albeit with a limitation; see Remark[T]l. 

Example With our environmental bisimulations, non-trivial equivalence of higher-order 
distributed processes can be shown, such as Pq = I e] and Qg \a[e] \ !a[e], 
where e abbreviates e{X).Q and e is e(0).0. We explain here informally how we build 
a bisimulation X relating those processes. 

X ^ {{r,E,P,Q) I r D {a, e}, £ = {0, e, e, e | e} x {0, e, e}, 

P = P^\K=ihW^l Q = Q^\K=ihm, n>0, 
/ e r, {M,N) e £} 

Since we want Pq ^ Qo^ the spawning clause of the bisimulation requires that for 
any (A/i,iVi) e £ and h e r, we have Pq | li[Mi] X^.^ Qq \ li[Ni]. Then, by repeat- 
edly applying this clause, we obtain (Pq | HILi h[Mi]) A'^.,. (Qo I n"=i h[Ni]). Since 
the observer can add fresh names at will, we require r to be a superset of the free names 
{a, e} of Pq and Qq. Also, we have the intuition that the only possible outputs from P 
and Q are processes e | e, e, e, and 0. Thus, we set ahead £ as the Cartesian product of 
{0, e, e, e I e} with {0, e, e}, that is, the combination of expectable outputs. We empha- 
size that it is indeed reasonable to relate e, e and e | e to 0, e and ein£ for the observer 
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Fig. 1. Simulation of observable transitions 



cannot analyse the pairs: he can only use them along the tested processes P and Q 
which, by the design of environmental bisimulations, will make up for the differences. 

Let us now observe the possible transitions from P and their corresponding transi- 
tions from Q by glossing over two pairs of trees, where related branches represent the 
correspondences. (Simulation in the other direction is similar and omitted for brevity.) 
First, let us consider the input and output actions as shown in Figure [T] (i) When Pq 
does an input action e or an output action e, it leaves behind a process a[e] or a[e], 
respectively. Qq can also do the same action, leaving a[Q]. Since both (e, 0) and (e, 0) 
are in £, we can add the leftover processes to the respective products J|; (ii) output by 
passivation is trivial to match (without loss of generality, we only show the case i — n), 
and (iii) observable actions a of an A/„, leaving a residue Af^, are matched by one of 
Qo's a[a], leaving a[Q]. To pair with this a[0], we replicate an a[e \ e] from Pq, and then, 
as in (i), they add up to the products JJ. 

In a similar way, we explain how r transitions of P are matched by Q, with another 
pair of transitions trees described in Figure |2] 

(1) When an a[e I e] from Pq turns into a[0], Q does not have to do any action, 
for we work with weak bisimulations. By replication, Q can produce a copy a[e] (or 
alternatively a[e]) from Qq, and since (0, e) is in £, we can add the a[0] and the copy 
a[e] to the products J|; (2) P can also make a reaction between two copies of a[e \ e] 
in Pq, leaving behind a[e] and a[e]. As in (1), Q can draw two copies of a[e] from Qq, 
and each product can be enlarged by two elements; (3) it is also possible for Af„ = e\e 
to do a r transition, becoming M'^ — 0. It stands that (M^, Nn) € £ and we are done; 
(4) very similarly, two processes Af„ and A/„_i may react, becoming M'^ and M'^_i. 
It stands also that {M'^_-^, Nn-i) and (Af^, Nn) are in £, so the resulting processes are 
still related; (5) it is possible for Af„ to follow the transition M„ A and react with 
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Fig. 2. Simulation of internal transitions (dotted lines mean zero transitions) 



a copy from Pq which leaves behind a[a] (since a has been consumed to conclude the 
reaction). Again, it stands that A//^ and Nn are related by £, and that we can draw an 
a[e] from Qq to pair it with the residue in the products J|; (6) also, a copy a[e \ e] 
from Pq may passivate an li[Mi], provided k — e, and leave a residue a[e]. Q can do 
the same passivation using Qq's a[e], and leave a[0]. As it happens that (e, 0) is in £, 
the residues can be added to the products too; (7) finally, the process Z„[A/„], if /„ = e, 
may be passivated by Mn-i, reducing the size of P's product. Q can passivate ln[Nn] 
too, using a copy a[e] from Pq, which becomes a[0] after the reaction. Q's product too 
is shorter, but we need to add the a[0] to it. To do so, we draw a copy a[e | e] from Pq, 
and since (e | e, 0) is in £, a[e \ e] and a[0] are merged into their respective product. 

This ends the sketch of the proof that X is an environmental bisimulation, and there- 
fore that !a[e | e] and la[e] \ a[e] are behaviourally equivalent. 

1.3 Overview of the paper 

The rest of this paper is structured as follows. In Section[2]we describe the higher-order 
TT-calculus with passivation. In Section|3]we formalize our environmental bisimulations. 
In Section|4]we give some examples of bisimilar processes. In Section[5] we bring up 
some future work to conclude our paper 

2 Higher-order 7r-calculus with passivation 

We introduce a slight variation of the higher-order 7r-calculus with passivation 171 — 
HOttP for short — through its syntax and a labelled transitions system. 

2.1 Syntax 

The syntax of our HOttP processes P, Q is given by the following grammar, very 
similar to that of Lenglet et al. Q (the higher-order 7r-calculus extended with located 
processes and their passivation): 

P,Q ::=0 I a{X).P \ a{M).P \ {P \ P) \ a[P] \ va.P \ IP \ run{M) 
M,N ■■= X I 'P 

X ranges over the set of variables, and a over the set of names which can be used for 
both locations and channels. a[P] denotes the process P running in location a. To define 
a general up-to context technique (Definition|2] see also Section|5]l, we distinguish terms 
M, N from processes P, Q and adopt explicit syntax for processes as terms 'P and their 
execution run{AI). 

2.2 Labelled transitions system 

We define n, fn, hn and fv to be the functions that return respectively the set of names, 
free names, bound names and free variables of a process or an action. We abbreviate a 
(possibly empty) sequence xq, a;i, . . . , x„ as x for any meta- variable x. The transition 
semantics of HOttP is given by the following labelled transition system, which is based 
on that of the higher-order 7r-calculus (omitting symmetric rules Par-R and React- R): 
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extended with the following three rules: 

P A- P' 

Transp — Passiv Run 

a[P] ^ a[P'] a[P] ran('P) ^ P 



Assuming again knowledge of the standard higher-order tt -calculus II9I1 IL we only 
explain below the three added rules that are not part of it. The Transp rule expresses 
the transparency of locations, the fact that transitions can happen below a location and 
be observed outside its boundary. The Passiv rule illustrates that, at any time, a pro- 
cess running under a location can be passivated (stopped and turned into a term) and 
sent along the channel corresponding to the location's name. Quotation of the process 
output reminds us that higher-order communications transport terms. Finally, the Run 
rule shows how, at the cost of an internal transition, a process term be instantiated. As 
usual with small-steps semantics, transition does not progress for undefined cases (such 
as run{X)) or when the assumptions are not satisfied. 

Henceforth, we shall write a.P to mean a{'0).P and a.P for a{X).P if X ^ fv{P)- 
We shall also write = for the structural congruence, whose definition is standard (see 
the appendix. Definition A.l). 



3 Environmental bisimulations of HOttP 

Given the higher-order nature of the language, and in order to get round the universal 
quantification issue of context bisimulations, we would like observations (terms) to 
be stored and reusable for further testing. To this end, let us define an environmental 
relation A" as a set of elements (r, £,P,Q) where r is a finite set of names, £ is a binary 
relation (with finitely many free names) on variable-closed terms (i.e. terms with no 
free variables), and P and Q are variable-closed processes. 

We generally write xQjS to express the set union {x} U S. We also use graphically 
convenient notation P X^.^ Q to mean (r, £, P. Q) X and define the term context 
closure {£; r)* — £ LI {('P, 'Q) | {P, Q) £ {£; r)°} with the process context closure 
{£]r)° = {{C[M],C[N]) I M£N, C context, hn{C) n fn{£ ,r) = 0, fn{C) C r}, 
where a context is a process with zero or more holes for terms. Note the distinction of 



terms 'P, 'Q from processes P, Q. We point out that (0; r)* is the identity on terms 
with free names in r, that {£; r)* includes £ by definition, and that the context closure 
operations are monotonic on £ (and r). Therefore, for any £ and r, the set {£; r)* 
includes the identity (0; r)* too. Also, we use the notations 5.1 and 5.2 to denote the 
first and second projections of a relation (i.e. set of pairs) S. Finally, we define weak 
transitions => as the reflexive, transitive closure of A, and =^ as for a ^ t 

(and define => as 

We can now define environmental bisimulations formally: 

Definition 1. An environmental relation X is an environmental bisimulation if P X^.^ Q 
implies: 

1. ifP A P', then 3Q'. Q ^ Q' and P' X^-.^ Q' , 

2. ifP P' with a e r, and if{M,N) e {£]r)*, then 3Q' . Q Q' and 
P' X,.^, Q', 

3. ifP p' with a £ r andb ^ fn{r,£.l), then 3Q', N. Q ""'"^^l Q' with 
c ^ fn{r, £.2) and P' '^(M,w)e£;r Q'' 

4. for any ('Pi, 'Qi) G £ and a G r, we have P \ a[Pi] X^.^ Q \ a[Qi], 

5. for any n ^ fn(£, P, Q), we have P X^.^^^ Q, and 

6. the converse of 1, 2 and 3 on Q's transitions. 

Modulo the symmetry resulting from clause[6j clause [Tjis usual; clause [2] enforces 
bisimilarity to be preserved by any input that can be built from the knowledge, hence 
the use of the context closure; clause [3]enlarges the knowledge of the observer with the 
leaked out terms. Clause |4] allows the observer to spawn (and immediately run) terms 
concurrently to the tested processes, while clause |5] shows that he can also create fresh 
names at will. 

A few points related to the handling of free names are worth mentioning: as the set 
of free names in £ is finite, clause [5] can always be applied; therefore, the attacker can 
add arbitraryfresh names to the set r of known names so as to use them in terms M and 
TV in clause [i] Fresh b and c in clause [s] also exist thanks to the finiteness of free names 
in £ and r. 

We define environmental bisimilarity ^ as the union of all environmental bisimula- 
tions, and it holds that it is itself an environmental bisimulation (all the conditions above 
are monotone on X). Therefore, P ^g.^ Q if and only if P X^..^ Q for some environ- 
mental bisimulation X. We do particularly care about the situation where £ = % and 
r = fn{P^ Q). It corresponds to the equivalence of two processes when the observer 
knows all of their free names (and thus can do all observations), but has not yet learnt 
any output pair 

For improving the practicality of our bisimulation proof method, let us devise an up- 
to context technique ifTTl p. 86]: for an environmental relation X, we write P Xg.^ Q 

if P = vc.iPo I Pi), g = vd.{QQ I Qi), P^Xg,.^, go, (Pi,gi) e {£';r')\ £ c 

{£'] r'Y, r C and {2} n fn{r,£.l) = {d} D fn{r, £.2) = 0. As a matter of fact, 
this is actually an up-to context and up-to environment and up-to restriction and up-to 
structural congruence technique, but because of the clumsiness of this appellation we 



will restrain ourselves to "up-to context" to preserve clarity. To roughly explain the 
convenience behind this notation and its (long) name: (1) "up-to context" states that we 
can take any (Pi, Qi) from the (process) context closure {£'; r')° of the environment £' 
(with free names in r') and execute them in parallel with processes Pq and Qo related 
by Xs'-^r'', similarly, we allow environments S with terms that are not in £' itself but 
are in the (term) context closure (£';r')*; (2) "up-to environment" states that, when 
proving the bisimulation clauses, we please ourselves with environments £' that are 
larger than the S requested by Definition [T[ (3) "up-to restriction" states that we also 
content ourselves with tested processes P, Q with extra restrictions i^c and vd (i.e. less 
observable names); (4) finally, "up-to structural congruence" states that we identify all 
processes that are structurally congruent to vc.{Po \ Pi) and vd.{Qo \Qi)- 

Using this notation, we define environmental bisimulations up-to context as follows: 

Definition 2. An environmental relation X is an environmental bisimulation up-to con- 
text if P Xg.^ Q implies: 

1. ifP^ P', then 3Q'.Q^ Q' and P' Xl.^ Q', 

2. ifP P' with a e r, and if{M,N) e {£;r)*, then 3Q'. Q Q' and 
P' XI, Q', 

3. ifP "^-"^^'^ p' with a erandb^ fn{r, E.l), then 3Q', N. Q ^i^^ Q' with 
c ^ fn{r, £.2) and P' A'(V,7v)ffi£;r Q'' 

4. for any ('Pi, 'Qi) G £ and a G r, we have P \ a[Pi] X^., Q \ a[Qi], 

5. for any n ^ fn{£, P, Q), we have P X^.^^, Q, and 

6. the converse of 1, 2 and 3 on Q's transitions. 

The conditions on each clause (except [5] which is unchanged for the sake of tech- 
nical convenience) are weaker than that of the standard environmental bisimulations, 
as we require in the positive instances bisimilarity modulo a context, not just bisim- 
ilarity itself. It is important to remark that, unlike in |fT2l but as in |13|, we do not 
need a specific context to avoid stating a tautology in clause|4j indeed, we spawn terms 
('Pi, 'Qi) € £ immediately as processes Pi and Qi, while the context closure can only 
use the terms under an explicit run operator 

We prove the soundness (under some condition; see Remark [TJ of environmen- 
tal bisimulations as follows. Full proofs are found in the appendix. Section B but are 
nonetheless sketched below. 

Lemma 1 (Input lemma). // (Pi,(9i) G i£;r)° and Pi P{ then yN3Q[. 

Qi Qi and {Pi, Qi) e ((M, N)(S£; 

Lemma 2 (Output lemma). //(Pi, Qi) G {£; r)°, {b}r\fn{£, r) = and Pi 

P{ then 3Q[,N. Qi Q'^, {Pi,Q'i) e (f ; 6er)° and {M, N) e (£; tor)^ 

Definition 3 (Run-erasure). We write P < Q ifP can be obtained by (possibly repeat- 
edly) replacing zero or more subprocesses run{^R) of Q with R, and write Py^., Q 
forP<yi,^.,>Q. 



Definition 4 (Simple environment). A process is called simple if none of its subpro- 
cesses has the form va.P or a{X).P with X G fv{P). An environment is called simple 
if all the processes in it are simple. An environmental relation is called simple if all of 
its environments are simple (note that the tested processes may still be non-simple). 

Lemma 3 (Reaction lemma). For any simple environmental bisimulation up-to con- 
text y, if P y^.^ Q and P ^ P', then there is a Q' such that Q ^ Q' and P' y^.^ Q'. 

Proof sketch. Lemma[T](resp.|2]) is proven by straightforward induction on the transition 

derivation of Pi P[ (resp. Pi p^y Lemmalsjis proven last, as it uses the 

other two lemmas (for the internal communication case). 

Lemma 4 (Soundness of up-to context). Simple bisimilarity up-to context is included 
in bisimilarity. 

Proof sketch. By checking that {(r, P, Q) | P y^.^. Q} is included in ^, where y 
is the simple environmental bisimilarity up-to context. In particular, we use Lemma [T] 
for clause |2] Lemma |2] for clause [5] and Lemma |3] for clause [T] of the environmental 
bisimulation. 

Our definitions of reduction-closed barbed equivalence « and congruence «c are 
standard and omitted for brevity; see the appendix. Definition B.2 and B.3 

Theorem 1 (Barbed equivalence from environmental bisimulation). 

IfP y^.f^ip Q) Qfi"" simple environmental bisimulation up-to context y, then P ^ Q. 

Proof sketch. By verifying that each clause of the definition of w is implied by mem- 
bership of y^, using Lemma|4]for the parallel composition clause. 

Corollary 1 (Barbed congruence from environmental bisimulation). 

Ifa{^P) y$-a(sfn{P Q) ^i'Q) fi"" simple environmental bisimulation up-to context y, 
then P «c Q- 

We recall that, in context bisimulations, showing the equivalence of a('P) and a{^Q) 
almost amounts to testing the equivalence of P and Q in every context. However, with 
environmental bisimulations, only the location context in clause |4] of the bisimulation 
has to be considered. 

Remark 1. The extra condition "simple" is needed because of a technical difficulty in 
the proof of Lemma [3] when an input process a{X).P is spawned under location b 
in parallel with an output context vc.a{AI) .Q (with c e fn{M)), they can make the 
transition b[a{X).P \ vc.a{M).Q] A h[vc.{P{M/X} \ Q)], where the restriction op- 
erator vc appears inside the location b (and therefore can be passivated together with 
the processes); however, our spawning clause only gives us b[a{X).P] \ i'c.a{M) .Q A 
vc.{b[P{M / X}] I Q) and does not cover the above case. Further investigation is re- 
quired to overcome this difficulty (although we have not yet found a concrete coun- 
terexample of soundness, we conjecture some modification to the bisimulation clauses 
would be necessary). Note that, even if the environments are simple, the tested processes 
do not always have to be simple, as in Example [4] and [5] Moreover, thanks to up-to con- 
text, even the output terms (including passivated processes) can be non-simple. 



4 Examples 



Here, we give some examples of HOttP processes whose behavioural equivalence is 
proven with the help of our environmental bisimulations. In each example, we prove the 
equivalence by exhibiting a relation X containing the two processes we consider, and 
by showing that it is indeed a bisimulation up-to context (and environment, restriction 
and structural congruence). We write P | . . . | P for a finite, possibly null, product of 
the process P. 

Example 1. e | !a[e] | !a[0] ~ \a[e] \ !a[0]. (This example comes from Q.) 

Proof. Take X = {(r, 0, e | P, P) | r D {a, e}} U {(r, 0, P, P) | r D {a, e}} where 
P = !a[e] I !a[0]. It is immediate to verify that whenever P ^ P', we have P' = P, 
and therefore that transition e\P-^e\P' = e\ P can be matched by P P' = P 
and conversely. Also, for e | P A P, we have that P A- !a[e] | a[0] \ !a[0] = P and we 
are done since {r,(!),P,P) E X. Moreover, the set r must contain the free names of P, 
and to satisfy clause |5] about adding fresh names, bigger r's must be allowed too. The 
passivations of a[e] and a[0] can be matched by syntactically equal actions with the pairs 
of output terms ('e, 'e) and ('0, '0) included in the identity, which in turn is included in 
the context closure (0; r)*. Finally clause |4] of the bisimulation is vacuously satisfied 
because the environment is empty. We therefore have e | la[e] \ la[0] « la[e] \ la[0] from 
the soundness of environmental bisimulation up-to context. 

Example 2. \a\\e ~ \a[e\. 

Proof sketch. Take X = {(r, £, P, Q) \ r D {a,e,li, . . . ,1^} \ £ = {('0, 'e)}, n > 0, 
P =la\le\ Uti Q = I Uti ^^e] I a[0] \ ...\ a[0]}. See the appendix, 

Example C.l for the rest of the proof 

Example 3. la[e] \ lb[e] w la[b[e \ e]] . This example shows the equivalence proof of more 
complicated processes with nested locations. 

Proof sketch. Take: 

X^{{r, £, P,Q)\r D {a, e, &, Zi, . . . , Z„}, 

Po = !a[e] I !6[e], Qo = la[b[e \ e]], 

P =Po\m=lh[P^]\b[0]\...\b[0], 

Q^=Qo\iitihm, 

('P,'Q) e £, n>0}, 
8 ={('a;,'y) |xe{0,e,e}, y =e {0, e, e, (e | e), &[0], &[e], 5[e], 6[e | e]}} . 

See the appendix. Example C.2 for the rest of the proof. 

Example 4. c{X).run{X) « vf.{f[c{X).run{X)] \ !/(r)./[rMn(y)]). The latter pro- 
cess models a system where a process c{X).run{X) runs in location /, and executes 
any process P it has received. In parallel is a process f{Y).f[run{Yy\ which can passi- 
vate /[P] and respawn the process P under the same location /. Informally, this models 
a system which can restart a computer and resume its computation after a failure. 



Proof. Take A" = Afi U Afa where: 



A-i = {(r, 0, c(X).rM«(X), i./.(/[c(X).rM«(X)] | \f{Y).f[mn{Y)])) \ r D {c}}, 
= {(r, 0, P, Q) I r D c(Bfn{R), S ^ mn{'mn{. . . 'mn{'R) ...)), 

p e {r««('i?), i?}, Q = I !/(r).[r««(y)])}. 

As usual, we require that r contains at least the free name c of the tested processes. All 
outputs belong to (0;r)* since they come from a process R drawn from (0;r)*, and 
therefore, we content ourselves with an empty environment 0. Also, by the emptiness 
of the environment, clause |4]of environmental bisimulations is vacuously satisfied. 

Verification of transitions of elements of Xi, i.e. inputs of some 'i? (with ('i?, 'i?) G 
(0; r)*) from c, is immediate and leads to checking elements of A'2. For elements of 
X2, we observe that P = run{'R) can do one t transition to become R, while Q 
can do an internal transition passivating the process run{'R) running in / and place 
it inside f[run{' )], again and again. Q can also do r transitions that consume all the 
run{' )'s until it becomes R. Whenever P (resp. Q) makes an observable transition, Q 
(resp. P) can consume the run{' )'s and weakly do the same action as they exhibit 
the same process. We observe that all transitions preserve membership in X2 (thus 
in X), and therefore we have that X is an environmental bisimulation up-to context, 
which proves the behavioural equivalence of the original processes c{X).run{X) and 
c{X)Mf.{f[c{X).runiX)] \ \f{Y).f[run{Y)]). 

Examples. c{X).mn{X) « c{X).i'a.{a{X) \ \iyf.{f[a{X).mn{X)] \ f{Y).a{Y))). 
This example is a variation of Example |4] modelling a system where computation is 
resumed on another computer after a failure. 

Proof. Take A" = Afi U ^"3 U ^"3 where: 

Xi = {(r, 0, c{X).run{X), c{X).iya.{a{X) \ F)) \ r D {c}}, 

X2 = {(r, 0, Pi, iya.{F \R1\R2\ a('P2))) | 

rD{c}(Sfn{P), P^, P2 € {run{'P), P}, Pi = a(iVi) | . . . | a(7V„), 

R2 = J^h-ihiQi] I hiY).a{Y)) \...\ ul^.{l^[Qm] \ lm{Y).a{Y)), 

Ni, . . . , Nn, 'Qi, . . . , 'Qm — ^run(^run{. . . ^run{^a{X).run{X)) ...)), n > 0}, 

A3 = {(r, 0, Pi, va.{F \R1\R2\ vl.{l\P2] \ l{Y).a{Y)))) \ 

r^{c}®fn{P), Pi,P2&{run{'P),P}, Pi = a(iVi) | . . . | a(7V„), 

P2 = vli.{li[Qi\ I li{Y).a{Y)) I ... I vim {Y).a{Y)), 

Ni, . . . , 7V„, 'Qi, . . . , 'Qm — ^run{^run{. . . ^ run{^ a{X) .run{X)) ...)), n> 0}, 

F = \uf.{f[a{X).run{X)] \ f{Y).a{Y)). 

The set of names r and the environment share the same fate as those of Example |4] 
for identical reasons. For ease, we write Ihs and rhs to conveniently denote each of the 
tested processes. 

Verification of the bisimulation clauses of Xi is immediate and leads to a member 
(r, 0, runi'P), va.(a{'P) | P)) of X2 for some 'P with ('P, 'P) e (0; r)*. For X2, Ihs 
can do an internal action (consuming its outer rM«(' )) that rhs does not have to follow 
since we work with weak bisimulations, and the results is still in X2; conversely, internal 
actions of rhs do not have to be matched. Some of those transitions that rhs can do are 



reactions between replications from F. All those transitions creates elements of either 
i?i or i?2 that can do nothing but internal actions and can be ignored further in the proof 
thanks to the weakness of our bisimulations. 

Whenever Ihs does an observable action a, that is, when Pi — P-^P', rhs must do 
a reaction between a('P2> and F, giving iyL{l[P2]\liY).a{Y))^iyl.{l [P'] \1{Y) .a{Y) ) 
which satisfies X^'s definition. Moreover, all transitions of Pi or P2 in A3 can be 
matched by the other, hence preserving the membership in X3. Finally, a subprocess 
i^l.{l[P2] I l{Y).a{Y)) of rhs of can do a t transition to a('P2) and the residues 
belong back to X2. 

This concludes the proof of behavioural equivalence of the original processes c{X) .run 
wAc{X)Ma.{a{X).\yf.{f[a{X).run{X)] \ f{Y).f[run{Y)])). 

5 Discussion and future work 

In the original higher-order 7r-calculus with passivation described by Lenglet et al. Q, 
terms are identified with processes: its syntax is just P ::= Q \ X \ a{X).P \ a{P).P \ 
(P I P) I a[P] I lya.P \ IP. We conjecture that it is also possible to develop sound envi- 
ronmental bisimulations (and up-to context, etc.) for this version of HOttP, as we | fT2| 
did for the standard higher-order 7r-calculus. However we chose not to cover directly the 
original higher-order 7r-calculus with passivation, for two reasons: (1) the proof method 
of lfT2ll which relies on guarded processes and a factorisation trick using the spawn- 
ing clause of the bisimulation is inadequate in the presence of locations; (2) there is a 
very strong constraint in clause 4 of up-to context in |12, Definition E. 1 (Appendix)] 
(the context has no hole for terms from £). By distinguishing processes from terms, not 
only is our up-to context method much more general, but our proofs are also direct and 
technically simple. Although one might argue that the presence of the run operator is a 
burden, by using Definition [3j one could devise an "up-to run' technique and abstract 
run{. . . 'run{'P)) as P, making equivalence proofs easier to write and understand. 

As described in Remark [T] removing the limitation on the environments is left for 
future work. We also plan to apply environmental bisimulations to (a substantial subset 
of) the Kell calculus so that we can provide a practical alternative to context bisimula- 
tions in a more expressive higher-order distributed process calculus. In the Kell calculus, 
locations are not transparent: one discriminates messages on the grounds of their ori- 
gins (i.e. from a location above, below, or from the same level). For example, consider 
the (simplified) Kell processes P = a{M).lb[a] and Q = a{N).lb[a] where M = a 
and = 0. They seem bisimilar assuming environmental bisimulations naively like 
those in this paper: intuitively, both P and Q can output (respectively M and N) to 
channel a, and their continuations are identical; passivation of spawned l[M] and l[N] 
for known location I would be immediately matched; finally, the output to channel a 
under turning P's spawned l[M] into ^[0], could be matched by an output to a under b 
by Q's replicated b[a]. However, M and N behave differently when observed from the 
same level (or below), for example as in l[M \ a{Y).ok] and l[N \ a{Y).ok] even under 
the presence of \b[a]. More concretely, the context [-Ji | a{X).c[X \ a{Y).ok] distin- 
guishes P and Q, showing the unsoundness of such naive definition. This suggests that, 
to define sound environmental bisimulations in Kell-like calculi with non-transparent 



locations, we should require a stronger condition such as bisimilarity of M and N in 
the output clause. Developments on this idea are in progress. 
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